global
    maxconn 100000
    daemon
    ca-base /srv/newsblur/config/certificates
    crt-base /srv/newsblur/config/certificates
    tune.bufsize 32000
    tune.maxrewrite 8196
    tune.ssl.default-dh-param 2048
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    log 127.0.0.1 local0 notice
    log 127.0.0.1 local1 info

resolvers consul
    nameserver consul 127.0.0.1:53
    accepted_payload_size 8192 # allow larger DNS payloads

defaults
    log global
    maxconn 100000
    mode http
    option forwardfor
    option http-server-close
    option httpclose
    option log-health-checks
    option log-separate-errors
    option httplog
    option redispatch
    option abortonclose
    retries 2
    timeout connect 10s
    timeout client 10s
    timeout server 10s
    timeout queue 10s
    errorfile 502 /srv/newsblur/templates/502.http
    errorfile 503 /srv/newsblur/templates/502.http
    errorfile 504 /srv/newsblur/templates/502.http

    # balance roundrobin

frontend public
    bind :80
    bind :443 ssl crt /srv/newsblur/config/certificates/newsblur.com.pem alpn h2,http/1.1

    http-response add-header Strict-Transport-Security max-age=0;\ includeSubDomains
    option http-server-close

    acl gunicorn_dead nbsrv(app_django) lt 1
    acl nginx_dead nbsrv(nginx) lt 1
    acl mx_mode nbsrv(maintenance) lt 1
    acl is_unread_count url_beg /reader/feed_unread_count
    acl is_discover url_beg /rss_feeds/discover
    acl is_refresh_feeds url_beg /reader/refresh_feed
    acl is_original_text url_beg /rss_feeds/original_text
    acl is_river url_beg /reader/river_stories
    acl is_automated_river urlp(h) -m found
    acl is_dashboard url_param(dashboard) -i true

    monitor-uri /status
    monitor fail if gunicorn_dead
    monitor fail if nginx_dead
    monitor fail if mx_mode

    # Redirect all HTTP traffic to HTTPS
    acl is_root path /
    redirect scheme https if is_root !{ ssl_fc }
    
    use_backend app_push if { hdr_end(host) -i push.newsblur.com }
    use_backend node_socket if { path_beg /v3/socket.io/ }
    use_backend node_favicons if { path_beg /rss_feeds/icon/ }
    use_backend node_text if { path_beg /rss_feeds/original_text_fetcher }
    use_backend node_images if { hdr_end(host) -i imageproxy.newsblur.com }
    use_backend node_images if { hdr_end(host) -i imageproxy2.newsblur.com }
    use_backend node_page if { path_beg /original_page/ }
    use_backend blog if { hdr_end(host) -i blog.newsblur.com }
    use_backend sentry if { hdr_end(host) -i sentry.newsblur.com }
    use_backend forum if { hdr_end(host) -i forum.newsblur.com }
    use_backend forum if { hdr_end(host) -i forum2.newsblur.com }
    use_backend forum if { hdr_end(host) -i forum3.newsblur.com }
    use_backend nginx if { path_beg /media/ }
    use_backend nginx if { path_beg /static/ }
    use_backend nginx if { path_beg /favicon }
    use_backend nginx if { path_beg /crossdomain/ }
    use_backend nginx if { path_beg /robots }
    use_backend metrics if { path_beg /metrics }
    #use_backend self if { path_beg /munin/ }
    use_backend db_metrics if { hdr_end(host) -i metrics.newsblur.com }
    use_backend consul_manager if { hdr_end(host) -i consul.newsblur.com }
    use_backend nginx if mx_mode

    use_backend app_count if is_unread_count
    use_backend app_count if is_discover
    use_backend app_refresh if is_refresh_feeds
    use_backend app_refresh if is_dashboard
    use_backend app_refresh if is_original_text
    use_backend app_refresh if is_river is_automated_river
    use_backend app_django unless gunicorn_dead || nginx_dead

backend nginx
    option httpchk GET /_nginxchk
    http-check expect rstatus 200|503
    default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.hweb %}
        server nginx-{{host}} {{host}}.node.nyc1.consul:80
    {% endfor %}

backend app_django
    balance roundrobin
    option allbackups
    option httpchk GET /_haproxychk
    default-server check inter 1000ms on-error mark-down fall 2 rise 1 resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.hdjango %}
    server {{host}} {{host}}.node.nyc1.consul:8000
    {% endfor %}

backend app_count
    balance roundrobin
    option allbackups
    option httpchk GET /_haproxychk
    default-server check inter 1000ms on-error mark-down fall 2 rise 1 resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.hcount %}
    server {{host}} {{host}}.node.nyc1.consul:8000
    {% endfor %}
    # server-template app-counts 1 _app-counts._tcp.service.nyc1.consul:8000 check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    
backend app_refresh
    balance roundrobin
    option allbackups
    option httpchk GET /_haproxychk
    default-server check inter 1000ms on-error mark-down fall 2 rise 1 resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.hrefresh %}
    server {{host}} {{host}}.node.nyc1.consul:8000
    {% endfor %}
    # server-template app-refresh 1 _app-refresh._tcp.service.nyc1.consul:8000 check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none

backend app_push
    balance roundrobin
    option allbackups
    option httpchk GET /_haproxychk
    default-server check inter 1000ms on-error mark-down fall 2 rise 1 resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.hpush %}
    server {{host}} {{host}}.node.nyc1.consul:8000
    {% endfor %}
    # server-template app-push 1 _app-push._tcp.service.nyc1.consul:8000 check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none

backend node_images
    option httpchk HEAD /sc,seLJDaKBog3LLEMDe8cjBefMhnVSibO4RA5boZhWcVZ0=/https://samuelclay.com/static/images/2019%20-%20Cuba.jpg
    http-check expect rstatus 200|301
    default-server check inter 10000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.hnode_images %}
        server {{host}} {{host}}.node.nyc1.consul:8088
    {% endfor %}

backend node_socket
    balance roundrobin
    option http-server-close
    timeout client 120s
    timeout server 120s
    timeout connect 10s
    timeout tunnel 3600s
    default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.hnode_socket %}
        server {{host}} {{host}}.node.nyc1.consul:8008
    {% endfor %}

backend node_favicons
    http-check expect rstatus 200|503
    option httpchk GET /rss_feeds/icon/1
    balance roundrobin
    default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.hnode_favicons %}
        server {{host}} {{host}}.node.nyc1.consul:8008
    {% endfor %}

backend node_text
    http-check expect rstatus 200|503
    option httpchk GET /rss_feeds/original_text_fetcher?test=1
    balance roundrobin
    default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.hnode_text %}
        server {{host}} {{host}}.node.nyc1.consul:8008
    {% endfor %}

backend node_page
    http-check expect rstatus 200|503
    option httpchk GET /original_page/1?test=1
    balance roundrobin
    default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.hnode_page %}
        server {{host}} {{host}}.node.nyc1.consul:8008
    {% endfor %}

backend staging
    balance roundrobin
    option httpchk GET /_haproxychk
    default-server check inter 1000ms on-error mark-down fall 2 rise 1 resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.staging %}
    server {{host}} {{host}}.node.nyc1.consul:8000
    {% endfor %}

backend blog
    balance roundrobin
    option httpchk GET /_nginxchk
    default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.blogs %}
        server {{host}} {{host}}.node.nyc1.consul:80
    {% endfor %}

backend sentry
    balance roundrobin
    option httpchk GET /_health
    default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.sentry %}
        server {{host}} {{host}}.node.nyc1.consul:9000
    {% endfor %}

backend forum
    balance roundrobin
    default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.forum %}
        server {{host}} {{host}}.node.nyc1.consul:80
    {% endfor %}

backend db_metrics
    balance roundrobin
    # option httpchk GET /_haproxychk
    default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    server db-grafana grafana.service.nyc1.consul:3000

backend metrics
    option httpchk GET /_haproxychk
    http-check expect rstatus 200|301
    server happ-web-01 happ-web-01.node.nyc1.consul:8000 check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none

backend postgres
    option httpchk GET /db_check/postgres
    default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.postgres %}
        server {{host}} {{host}}.node.nyc1.consul:5579
    {% endfor %}
    server hdb-postgres-secondary2 hdb-redis-secondary.node.nyc1.consul:5579

backend mongo
    option httpchk GET /db_check/mongo
    default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.mongo %}
        server {{host}} {{host}}.node.nyc1.consul:5579
    {% endfor %}

backend mongo_analytics
    option httpchk GET /db_check/mongo_analytics
    default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.mongo_analytics %}
        server {{host}} {{host}}.node.nyc1.consul:5579
    {% endfor %}

backend db_redis_user
    option httpchk GET /db_check/redis_user
    default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.redis_user %}
        server {{host}} {{host}}.node.nyc1.consul:5579
    {% endfor %}
    server hdb-redis-secondary hdb-redis-secondary.node.nyc1.consul:5579

backend db_redis_story
    option httpchk GET /db_check/redis_story
    default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.redis_story %}
        server {{host}} {{host}}.node.nyc1.consul:5579
    {% endfor %}
    server db-redis-secondary hdb-redis-secondary.node.nyc1.consul:5579

backend db_redis_sessions
    option httpchk GET /db_check/redis_sessions
    default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.redis_session %}
        server {{host}} {{host}}.node.nyc1.consul:5579
    {% endfor %}
    server db-redis-secondary hdb-redis-secondary.node.nyc1.consul:5579

backend db_redis_pubsub
    option httpchk GET /db_check/redis_pubsub
    default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    server hdb-redis-pubsub db-redis-pubsub.service.nyc1.consul:5579

backend db_elasticsearch
    option httpchk GET /db_check/elasticsearch
    default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    {% for host in groups.elasticsearch %}
        server {{host}} {{host}}.node.nyc1.consul:5579
    {% endfor %}

backend consul_manager
    balance roundrobin
    # option httpchk GET /_haproxychk
    default-server check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    server db-consul-manager consul-manager.service.nyc1.consul:8500

backend maintenance
    option httpchk HEAD /maintenance
    http-check expect status 404
    http-check send-state
    # server maintenance app-django1.node.nyc1.consul:80 check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none
    server maintenance happ-web-01.node.nyc1.consul:80 check inter 2000ms resolvers consul resolve-prefer ipv4 resolve-opts allow-dup-ip init-addr none

listen stats
bind :1936 ssl crt {{ ssl_certificate }}

stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth gimmiestats:StatsGiver
stats refresh 15s
